[eluser]pickupman[/eluser]
You are correct. The have finally finished this up in the latest update. When set to true, form_open() will add the hidden token value to the form. If you are creating the <form > tag manually, and have csrf set to TRUE, you will need to add this value in.
This gets a little tricky with some web services like Paypal/JSON/AJAX. If you try using IPN which POSTs data back, you will have problems. I found it best to create a whitelist of IP addresses to turn off the protection. Or use
Code:
$this->config->set_item('csrf_protection', TRUE);